b'February 2009\nReport No. AUD-09-004\n\n\nFDIC\xe2\x80\x99s Controls Related to the Offsite\nReview List\n\n\n\n\n            AUDIT REPORT\n\x0c                                                      Report No. AUD-09-004                                                             February 2009\n\n                                                      FDIC\xe2\x80\x99s Controls Related to the Offsite Review List\n                                                      Audit Results\n     Federal Deposit Insurance Corporation\n                                                      DSC has established internal controls for performing offsite monitoring of insured financial\nWhy We Did The Audit                                  institutions. Specifically, each institution on the ORL must have an offsite review completed\n                                                      and approved within 3\xc2\xbd months after the end of each quarter. We sampled 60 of the 577\nThe FDIC insures about 8,500 financial                institutions on the December 31, 2007 ORL and found that DSC had completed offsite reviews\ninstitutions with assets totaling over $13 trillion   for each sampled institution, developed supervisory strategies, and documented the reviews in\nand domestic deposits totaling over $6.9 trillion.\n                                                      accordance with DSC policies and procedures.\nThe federal banking agencies (the agencies),\nwhich include the FDIC, have developed a\nnumber of tools for monitoring the health of          Additionally, DSC has initiated a process for periodically evaluating its offsite monitoring\nindividual institutions and the industry as a         systems in response to a February 2007 GAO recommendation to evaluate and monitor these\nwhole. The FDIC has developed eight offsite           systems. DSC plans to evaluate, on a rotational basis, its offsite monitoring systems. However,\nsystems to monitor insured institutions between       at the time of our audit, no details regarding a schedule or procedures for conducting\nexaminations. Three of these systems are used         evaluations were available, and no system evaluations had been performed.\nto produce the Offsite Review List (ORL),\nwhich identifies insured institutions with            Although the FDIC has developed an extensive offsite monitoring program, opportunities exist\npotential problems (as described later). Within       for improvement. Specifically, we found that the ORL was not capturing a significant\nthe FDIC, the Division of Supervision and             percentage of institutions that DSC, through its risk management examinations, downgraded to\nConsumer Protection (DSC) is responsible for\n                                                      a 3 rating or worse, including many of the institutions that ultimately failed.\nperforming offsite monitoring of FDIC-insured\ndepository institutions.\n                                                      DSC pointed out that although the ORL may not have captured a significant percentage of\nThe audit objective was to assess DSC\xe2\x80\x99s internal      institutions that were downgraded, the same institutions may have been receiving additional\ncontrols for performing offsite monitoring of         DSC supervisory attention through other monitoring tools. In addition to the ORL, the FDIC\ninsured financial institutions. The audit focused     uses several other offsite monitoring tools to monitor risks within the industry and to identify\non the controls related to offsite reviews of         potential emerging risks that may require additional supervisory follow-up\xe2\x80\x94including a model\ninstitutions on the ORL. As part of our audit,        that projects an institution\xe2\x80\x99s CAMELS rating subject to a real estate crisis similar to one in New\nwe also reviewed DSC\xe2\x80\x99s implementation of a            England in the early 1990s; a model that identifies institutions that have experienced consistent\nrecommendation by the Government                      rapid growth (over several quarters) and/or a funding structure that is highly dependent on non-\nAccountability Office (GAO) for strengthening\n                                                      core sources; a report that monitors institutions exhibiting high-risk lending activity; a report\nthe FDIC\xe2\x80\x99s risk assessment activities through\nperiodic evaluations and monitoring of the            that monitors the condition of institutions that have been in operation less than 8 years; a\nCorporation\xe2\x80\x99s offsite monitoring systems.             quarterly monitoring program for institutions with total assets over $10 billion; and a model that\n                                                      identifies institutions with characteristics that have been associated with fraud, formal regional\n                                                      risk committees, and various regional monitoring programs and watch lists.\nBackground\n                                                      Thorough and timely evaluations of the three DSC models-based offsite monitoring systems\nOne of the FDIC\xe2\x80\x99s primary offsite monitoring\ntools is the Statistical CAMELS Offsite Rating\n                                                      that create the ORL are needed to determine if the assumptions and methodologies used\n(SCOR) model, a statistical model that uses           reasonably support determinations for including institutions on the ORL. Further, the offsite\nfinancial ratios and historical examination           monitoring systems used to create the ORL are largely based on historical indicators, pertaining\nresults to assign an offsite CAMELS rating.           to institution asset quality, earnings, and capital, that may not fully consider current and\n(CAMELS is an acronym for the components              emerging risks. As a result, the ORL may not be capturing a complete picture of the risks\nCapital, Asset quality, Management, Earnings,         facing 1- and 2-composite rated institutions or identifying those institutions at risk of significant\nLiquidity, and Sensitivity to market risk.            ratings downgrades.\nInstitutions receive a composite and component\nrating of 1 to 5, with 1 having the least             Using actual failure and downgrade information to test all offsite monitoring systems and\nregulatory concern and 5 having the greatest          incorporating the results into evaluations of those systems could lead to a more focused ORL\nconcern.) SCOR is designed to identify 1- and\n2-composite rated institutions that have\n                                                      and a more effective and efficient offsite monitoring program. Scheduling all offsite\nexperienced substantial financial deterioration       monitoring systems for regular evaluations and establishing procedures to conduct the\nsince the last onsite examination.                    evaluations would help to assure that management\xe2\x80\x99s objectives regarding offsite monitoring are\n                                                      being achieved and financial risks to the FDIC\xe2\x80\x99s Deposit Insurance Fund are being mitigated.\nSCOR and two other risk measurement systems,\nSCOR-Lag and the Growth Monitoring System,\nare used to produce the ORL each quarter. The\n                                                      Recommendations and Management Response\nORL consists of 1- and 2-rated institutions that\nhave been identified with potential problems or We recommended that DSC: (1) validate the assumptions and methodology used in SCOR;\npose the risk of being downgraded to a 3 rating (2) ensure that the regular evaluations of all offsite monitoring systems used to create the ORL\nor worse at the next examination.               are performed as scheduled; and (3) establish procedures to evaluate all models-based offsite\n                                                monitoring systems and, as part of these procedures, consider recent failure and downgrade\nDSC\xe2\x80\x99s Case Manager Procedures Manual            information to test the efficacy of the logic and assumptions used in the offsite monitoring\nrequires an analysis of all institutions on the systems. In its response to the audit, DSC stated that it concurred with the recommendations\nORL so an appropriate supervisory strategy can  and completed the recommended actions. Additionally, DSC provided comments regarding the\nbe developed, as warranted.                     accuracy of the ORL as a predictive tool and stated that DSC had completed the first of the\n                                                GAO-recommended evaluations.\nTo view the full report, go to www.fdicig.gov/2009reports.asp\n\x0cContents                                                               Page\n\nBACKGROUND                                                               2\n\nRESULTS OF AUDIT                                                         5\n\nCONTROLS FOR PERFORMING OFFSITE REVIEWS                                  7\n\nEFFECTIVENESS OF THE ORL                                                 8\n   Guidance Related to Ensuring the Effectiveness of the ORL             8\n   Accuracy of the ORL in Identifying Problem Institutions               8\n      Failed Institutions That Were Not Identified on ORLs               9\n      Downgraded Institutions That Were Not Identified on ORLs           9\n   Division of Insurance and Research Analysis of SCOR\xe2\x80\x99s Performance     9\n   Implementation of a GAO Recommendation Related to Evaluating         11\n    Offsite Monitoring Systems\n   Conclusion                                                           12\n   Recommendations for Enhancing the Effectiveness of the ORL           12\n\nCORPORATION COMMENTS AND OIG EVALUATION                                 12\n\nAPPENDICES\n  1. OBJECTIVE, SCOPE, AND METHODOLOGY                                  14\n  2. THE FDIC\xe2\x80\x99S OFFSITE MONITORING TOOLS                                17\n  3. OIG ANALYSIS OF WHETHER FAILED INSTITUTIONS WERE                   19\n      ON THE ORL PRIOR TO FAILURE\n  4. CORPORATION COMMENTS                                               20\n  5. MANAGEMENT RESPONSE TO RECOMMENDATIONS                             25\n  6. ACRONYMS USED IN THE REPORT                                        26\n\nTABLES\n  1. Offsite Review Dates                                                5\n  2. Sample of Institutions from the December 31, 2007 ORL               7\n  3. Number of Insured and Supervised Institutions, by Regulator        14\n\nFIGURE\n  Number of Institutions on the ORLs Since 2006                          4\n\x0cFederal Deposit Insurance Corporation                                                             Office of Audits\n3501 Fairfax Drive, Arlington, VA 22226                                              Office of Inspector General\n\n\n\nDATE:                                     February 19, 2009\n\nMEMORANDUM TO:                            Sandra L. Thompson, Director\n                                          Division of Supervision and Consumer Protection\n\n\n                                          /Signed/\nFROM:                                     Russell A. Rau\n                                          Assistant Inspector General for Audits\n\nSUBJECT:                                  FDIC\xe2\x80\x99s Controls Related to the Offsite Review List\n                                          (Report No. AUD-09-004)\n\n\nThis report presents the results of our audit of the FDIC\xe2\x80\x99s controls related to one of its\noffsite monitoring tools\xe2\x80\x94the Offsite Review List (ORL). 1 The audit objective was to\nassess the FDIC\xe2\x80\x99s internal controls for performing offsite monitoring of insured financial\ninstitutions. We focused the audit on the Division of Supervision and Consumer\nProtection\xe2\x80\x99s (DSC) controls pertaining to offsite reviews of institutions on the FDIC\xe2\x80\x99s\nORL, which identifies insured institutions with 1 and 2 composite ratings and potential\nproblems that pose the risk the institution will be downgraded at the next examination. 2\nAs part of our audit, we also reviewed DSC\xe2\x80\x99s implementation of a recommendation by\nthe Government Accountability Office (GAO), 3 pertaining to strengthening the FDIC\xe2\x80\x99s\nrisk assessment activities through periodic evaluations and monitoring, including offsite\nmonitoring.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Appendix 1 of this report discusses our audit objective, scope, and\nmethodology in detail.\n\n\n\n\n1\n  The ORL is described in more detail in the Background section of this report. It is important to note that\nDSC uses several other offsite monitoring tools to monitor risks within the industry and to identify\npotential emerging issues that may require additional supervisory follow-up.\n2\n  Under the Uniform Financial Institutions Rating System (UFIRS), each financial institution is assigned a\ncomposite rating by a federal or state banking agency based on an evaluation and rating of six essential\ncomponents of an institution\xe2\x80\x99s financial condition and operations. These component factors address the\nadequacy of Capital, the quality of Assets, the capability of Management, the quality and level of Earnings,\nthe adequacy of Liquidity, and the Sensitivity to market risk (otherwise known as CAMELS).\n3\n  Report Number GAO-07-255, Federal Deposit Insurance Corporation: Human Capital and Risk\nAssessment Programs Appear Sound, but Evaluations of Their Effectiveness Should Be Improved, dated\nFebruary 15, 2007.\n\x0cBACKGROUND\n\n    Section 10(d) of the Federal Deposit Insurance Act requires annual onsite examinations\n    of each insured financial institution at least once during each 12-month period. 4 Annual\n    examination intervals may be extended to 18 months if the insured institution has assets\n    totaling less than $500 million and is well managed and well capitalized. As stated in the\n    FDIC Banking Review, 2003, Volume 15, No. 3, onsite examinations provide the most\n    complete and reliable information about an institution\xe2\x80\x99s financial health, and the federal\n    banking agencies regard CAMELS ratings as the single best indicator of an institution\xe2\x80\x99s\n    condition. However, subsequent to a completed onsite examination, an institution\xe2\x80\x99s\n    financial condition may change, so the CAMELS ratings may no longer accurately reflect\n    the institution\xe2\x80\x99s current condition. Therefore, the FDIC has developed various offsite\n    tools, including the ORL, to monitor insured institutions between examinations.\n\n    As identified in the Offsite Review Program section of the Case Manager Procedures\n    Manual (Procedures Manual), DSC developed eight risk measures for monitoring the\n    condition of individual institutions. These eight risk measures use offsite data to assist in\n    monitoring the risk of about 8,500 insured institutions (including non-FDIC supervised\n    institutions). The eight measures use information reported in financial institutions\xe2\x80\x99\n    quarterly Consolidated Reports of Condition and Income (Call Report) and Thrift\n    Financial Reports (TFR). Information from the measures may also aid examiners in\n    planning for an onsite examination. The eight measures are described below.\n\n          \xe2\x80\xa2    The Statistical CAMELS Offsite Rating (SCOR) model uses statistical techniques\n               to measure the likelihood that an institution will receive a ratings downgrade at\n               the next examination. The output of the model is derived from historical\n               examination results as well as from Call Report and TFR data.\n\n          \xe2\x80\xa2    SCOR-Lag, a derivation of SCOR, attempts to more accurately assess the\n               financial condition of rapidly growing banks.\n\n          \xe2\x80\xa2    The Growth Monitoring System (GMS) identifies institutions experiencing rapid\n               growth and/or with a funding structure highly dependent on non-core funding\n               sources.\n\n          \xe2\x80\xa2    The Real Estate Stress Test (REST) projects an institution\xe2\x80\x99s CAMELS rating\n               subject to a real estate crisis similar to that in New England in the early 1990s.\n\n          \xe2\x80\xa2    Consistent Grower is a cumulative growth score measure using up to 20 quarters\n               of GMS scores.\n\n          \xe2\x80\xa2    The Quarterly Lending Alert (QLA) monitors institutions exhibiting high-risk\n               lending activity such as subprime lending.\n\n\n    4\n        12 United States Code 1820(d).\n\n                                                     2\n\x0c   \xe2\x80\xa2   Young Institutions identifies institutions that are less than 8 years old.\n\n   \xe2\x80\xa2   Multiflag combines the multiple risk measures discussed above.\n\nThree of these eight measures are used to produce the quarterly ORL: the SCOR, SCOR-\nLag, and GMS. The ORL consists of 1- and 2-composite rated institutions that are\n(1) identified by SCOR or SCOR-Lag with a 35 percent or higher probability of being\ndowngraded to a 3 rating or worse at the next examination or (2) flagged by the GMS as\nbeing in the 98th or higher growth percentile.\n\nDSC stated that it uses several other offsite monitoring tools to monitor risks within the\nindustry and to identify potential emerging issues that may require additional supervisory\nfollow-up. These tools (details are in Appendix 2) include, but are not limited to, the\nfollowing:\n\n   \xe2\x80\xa2   Large Insured Depository Institution (LIDI) Program.\n   \xe2\x80\xa2   Internal Control Assessment Rating System (ICARuS) and Risk Analysis Center\n       (RAC) Dashboard.\n   \xe2\x80\xa2   Regional Watch Lists.\n   \xe2\x80\xa2   Regional Offsite Monitoring and Supervisory Strategies.\n   \xe2\x80\xa2   Regional Risk Committees.\n   \xe2\x80\xa2   Quarterly Supervisory Risk Profile.\n\nAccording to DSC, it created and staffed two new sections in 2008 to strengthen the\nexamination program and enhance the risk assessment process, including offsite review.\nThese sections are: (1) the Risk Analysis Section, which analyzes offsite information\navailable through various monitoring systems, together with specific information\ngathered during examinations, to proactively identify risks and trends; and (2) the\nEmerging Issues Section, which was created to enhance the Corporation\xe2\x80\x99s ability to\ndevelop proactive forward-looking bank supervision policy and conduct offsite\nmonitoring of various institutional risks.\n\nInformation in DSC\xe2\x80\x99s Virtual Supervisory Information on the Net (ViSION) System\nshows that the number of institutions on the ORL has been increasing significantly since\n2006, as shown in the figure, which follows.\n\n\n\n\n                                              3\n\x0cNumber of Institutions on the ORLs Since 2006\n\n\n 900\n\n\n\n 800\n                                                                                                  842\n\n 700\n\n\n\n 600\n                                                                                        577\n\n 500\n\n\n\n 400\n                                                                               408\n\n                                                                    347\n 300\n                                                        298\n                                             252\n                                   246\n 200                      218\n\n                 161\n 100\n\n\n\n   0         3/31/06   6/30/06   9/30/06   12/31/06   3/31/07   6/30/07   9/30/07    12/31/07   3/31/08\n\n\n\n       Source: Office of Inspector General (OIG) analysis of ViSION system information.\n\n\n\nExaminer Guidance\n\nSection 13 of the Procedures Manual discusses the Offsite Review Program, including:\n(1) definitions of the eight risk measures, (2) generation of the ORL based on updated\nquarterly Call Report data, (3) deadlines for conducting an offsite review, (4) the\nreviewer\xe2\x80\x99s documented findings and supervisory strategy in the Offsite Module of\nViSION, and (5) ViSION comments on reviews that found medium or high levels of risk.\nThe Procedures Manual does not provide specific step-by-step instructions for\ncompleting the offsite review; rather, it provides a general overview of the Offsite\nReview Program.\n\nAccording to the Procedures Manual, \xe2\x80\x9c[E]ach institution on the ORL must have an\nOffsite Review and will appear in the Active Tasks of the appropriate Case Manager or\nField Supervisor in ViSION.\xe2\x80\x9d Case Managers or Field Supervisors perform the offsite\nreviews to determine whether supervisory attention is warranted before the next regularly\nscheduled examination or a rating change should be initiated, if the review indicates that\nthe institution poses a greater risk to the insurance fund than indicated by the composite\nrating. The manual also states that offsite reviews must be completed and approved\nwithin 3\xc2\xbd months after each Call Report date. Table 1, which follows, shows the\nschedule for completing and approving offsite reviews.\n\n\n\n\n                                                                           4\n\x0c     Table 1: Offsite Review Dates\n      Call Report           Call Report                        Offsite Reviews\n      Date                  Finalized                          Approved\n      March 31              May 31                             July 15\n      June 30               August 31                          October 15\n      September 30          November 30                        January 15\n      December 31           February 28                        April 15\n     Source: The Case Manager Procedures Manual.\n\n\n\n    Prior Related Audit Attention\n\n    In February 2007, the GAO issued a report entitled, Federal Deposit Insurance\n    Corporation: Human Capital and Risk Assessment Programs Appear Sound, but\n    Evaluations of Their Effectiveness Should Be Improved (Report No. GAO-07-255). In its\n    report, the GAO noted that the FDIC has an extensive risk assessment system and\n    contingency plans for bank failures but had not comprehensively or routinely evaluated\n    the system or plans. Although the GAO noted that the FDIC had conducted a one-time\n    analysis of the performance of SCOR, the GAO also noted that the FDIC was not\n    regularly evaluating its offsite monitoring systems for reliability and underscored the\n    need for the Corporation to perform more regular reviews. The GAO recommended that\n\n           . . . to strengthen the oversight of its risk assessment activities, the FDIC should develop\n           policies and procedures clearly defining how it will systematically evaluate and monitor\n           its risk assessment activities and ensure that required evaluations are conducted in a\n           comprehensive and routine fashion.\n\n    In response to the GAO report, the Corporation stated:\n\n           We agree that it would be beneficial to review our risk assessment activities to ensure\n           they are comprehensive, appropriate to our mission, and fully evaluated. As noted in the\n           GAO draft report, a review of FDIC offsite monitoring systems has been completed, and\n           work continues to implement needed changes.\n\n           Beginning in January 2007, an interdivisional committee will perform an in-depth review\n           of current risk assessment activities and evaluation procedures. By September 30, 2007,\n           the committee will make recommendations to FDIC executive management as to how we\n           might strengthen the risk assessment framework. At that time, management will establish\n           a reasonable timeline to implement any required changes.\n\n\nRESULTS OF AUDIT\n\n    DSC has established an internal control process for performing offsite monitoring of\n    insured financial institutions identified on the ORL. The internal control process\n    includes: (1) scheduling and performing offsite reviews for each institution on the ORL;\n    (2) documenting the analyses performed as part of each review, including a supervisory\n    strategy; and (3) requiring a supervisory approval of the reviews performed. We sampled\n\n                                                     5\n\x0c60 of the 577 institutions on the December 31, 2007 ORL and found that DSC had\ncompleted offsite reviews for each sampled institution and documented the reviews in\naccordance with DSC policies and procedures, including specifying a supervisory\nstrategy. Further, there was evidence of supervisory review for each of the offsite\nreviews in our sample (Controls for Performing Offsite Reviews).\n\nAlthough DSC has developed an extensive offsite review program using a variety of\nsources \xe2\x80\x93 including the LIDI program, the QLA, and Regional Watch Lists \xe2\x80\x93 to monitor\nfinancial institution condition, the ORL was not capturing a significant percentage of\ninstitutions that DSC, through its risk management examinations, downgraded to a 3\nrating or worse, as illustrated below.\n\n   \xe2\x80\xa2   For 20 institutions that failed from January 2001 through July 2008, which were\n       rated 1 or 2 in an examination during that period, 13 institutions (65 percent) did\n       not appear on an ORL in the 4 quarters prior to the quarter each institution was\n       downgraded to a 3, 4, or 5 rating (see Appendix 3).\n\n   \xe2\x80\xa2   Of the 223 institutions that were downgraded by 2 or more ratings from 2002\n       through 2007, 151 institutions (68 percent) did not appear on an ORL in the\n       4 quarters prior to the downgrades.\n\n   \xe2\x80\xa2   From 1998 through 2007, SCOR did not flag 2,011 (88 percent) of 2,281\n       institutions that were eventually downgraded to a 3 rating or worse (referred to by\n       DSC as a Type I Error \xe2\x80\x93 the percentage of downgraded institutions that SCOR did\n       not identify as problem institutions).\n\n   \xe2\x80\xa2   From 1998 through 2007, SCOR flagged 832 institutions of which 562\n       (68 percent) were not downgraded (referred to by DSC as a Type II Error \xe2\x80\x93 the\n       percentage of institutions that were identified by SCOR but were not downgraded\n       in a subsequent examination).\n\nThe assumptions and methodologies in SCOR have not been updated since 2003.\nFurther, the offsite monitoring systems used to create the ORL are largely based on\nhistorical indicators pertaining to institution asset quality, earnings, and capital that may\nnot fully consider current and emerging risks. As a result, the ORL may not be capturing\na complete picture of the risks facing 1- and 2-rated institutions or identifying those\ninstitutions at risk of significant ratings downgrades.\n\nAdditionally, DSC has initiated a process for periodically evaluating the three models-\nbased systems that determine the ORL in response to a February 2007 GAO\nrecommendation to evaluate and monitor these systems. DSC plans to evaluate, on a\nrotational basis, all of its offsite monitoring systems. However, at the time we completed\nour audit fieldwork, no details regarding a schedule or procedures for conducting\nevaluations were available, and no system evaluations had been performed.\n\n\n\n\n                                              6\n\x0c    Validation of the assumptions and methodology used in SCOR is needed on a priority\n    basis to determine if the performance of the system could be enhanced. In addition,\n    thorough evaluations of the three DSC offsite monitoring systems that create the ORL are\n    needed on a regular basis to determine if the assumptions and methodologies used\n    reasonably support determinations for including institutions on the ORL. Using actual\n    failure and downgrade information to test offsite monitoring systems and incorporating\n    the results into evaluations of those systems could lead to a more focused ORL and a\n    more effective and efficient offsite monitoring program. Scheduling all offsite\n    monitoring systems for regular evaluations and establishing procedures to conduct the\n    evaluations would help to assure that management\xe2\x80\x99s objectives regarding offsite\n    monitoring are being achieved and financial risks to the FDIC\xe2\x80\x99s Deposit Insurance Fund\n    are being mitigated (Effectiveness of the ORL).\n\n\nCONTROLS FOR PERFORMING OFFSITE REVIEWS\n\n    DSC has established an internal control process for performing offsite reviews of insured\n    institutions appearing on the ORL. Such controls include making an assessment of risk,\n    identifying a supervisory strategy, documenting analyses performed, and requiring\n    supervisory approval of the reviews. We sampled 60 of the 577 institutions on the\n    December 31, 2007 ORL. For all 60 institutions, we found that DSC Case Managers or\n    Field Supervisors had complied with guidance in the Procedures Manual. Specifically, a\n    reviewer completed an offsite review for each institution, identified a risk level and trend,\n    identified a supervisory strategy, and documented the review in ViSION. We also found\n    that each review had been approved by an Assistant Regional Director (ARD), as\n    required by the policy. Further, for those institutions not regulated by the FDIC, we\n    found that Case Managers or Field Supervisors contacted the appropriate regulators to\n    discuss supervisory strategies for each of the sampled institutions whose overall risk level\n    was expected to sufficiently change over the next 12-month period. The results of our\n    sample are shown in Table 2.\n\n\n    Table 2: Sample of Institutions from the December 31, 2007 ORL\n     Federal Regulator         Sampled          Risks         Supervisory     Contacts with\n                              Institutions    Identified     Strategy Noted   the Regulator\n            FDIC                   41            Yes               Yes              3\n        Office of the               8            Yes               Yes              5\n     Comptroller of the\n      Currency (OCC)\n      Office of Thrift             8             Yes              Yes              5\n     Supervision (OTS)\n     Board of Governors            3             Yes              Yes              2\n       of the Federal\n      Reserve System\n           (FRB)\n    Source: OIG analysis and information in the ViSION system.\n\n\n\n\n                                                       7\n\x0c      Because we noted no matters warranting additional management action, we made no\n      recommendation in this area related to the audit objective.\n\n\nEFFECTIVENESS OF THE ORL\n\n      The ORL has not been as effective in capturing problem institutions as it should be.\n      Although DSC has developed an extensive offsite monitoring program that utilizes a\n      multitude of other systems and ad hoc reports to address emerging risks, DSC has not\n      regularly validated the underlying assumptions and methodologies for the models-based\n      component of the system or conducted regular evaluations of the models used to create\n      the ORL. This led the GAO to recommend that the FDIC strengthen the oversight of its\n      risk assessment activities and systematically evaluate these activities. The assumptions\n      and methodologies in SCOR have not been updated since 2003. Further, the offsite\n      monitoring systems used to create the ORL are largely based on historical financial\n      information, provided by the financial institution, that may not be accurate and may not\n      fully consider current and emerging risks. As a result, the FDIC\xe2\x80\x99s offsite monitoring\n      systems may not be capturing a complete picture of the current and emerging risks facing\n      1- and 2-rated institutions or identifying those institutions at risk of significant ratings\n      downgrades.\n\n\nGuidance Related to Ensuring the Effectiveness of the ORL\n\n      FDIC Circular 4010.3, FDIC Enterprise Risk Management Program, adopted internal\n      control standards prescribed in GAO publication, Standards for Internal Control in the\n      Federal Government. The GAO standards apply to all operations (programmatic,\n      financial, and compliance) and are intended to ensure the effectiveness and efficiency of\n      operation, reliability of financial reporting, and compliance with applicable laws and\n      regulations. Circular 4010.3 requires management to develop and implement controls to\n      ensure that management directives are carried out and to provide reasonable assurance that\n      controls are sufficient to minimize exposure to waste, fraud, and mismanagement. The\n      circular also requires management to perform monitoring activities to assess the quality of\n      performance over time and the effectiveness of controls. Key control activities described\n      in the circular, as they relate to offsite monitoring, include routine management and\n      supervisory actions; transaction comparisons and reconciliations; other actions taken in\n      the course of normal operations; as well as separate and discrete control evaluations,\n      including internal self-assessments and external reviews.\n\n\nAccuracy of the ORL in Identifying Problem Institutions\n\n      To assess the effectiveness of the ORL in identifying institutions at risk of being\n      downgraded, we analyzed ORL and CAMELS ratings information available on failed\n      institutions from January 2001 through July 31, 2008 and on institutions that had been\n\n\n\n                                                   8\n\x0c      downgraded by two or more ratings from 2002 through 2007. The results of our analysis\n      are discussed below.\n\n\n      Failed Institutions That Were Not Identified on ORLs. Of the 20 institutions that\n      failed from January 2001 through July 2008 and were rated 1 or 2 in an examination\n      during that period, 13 institutions (65 percent) did not appear on an ORL in the 4 quarters\n      prior to the quarter they were downgraded to a 3, 4, or 5 rating (see details in\n      Appendix 3). 5 In its response to these statistics, DSC stated:\n\n              . . . 7 of the 13 institutions that failed and did not appear on the ORL had fraud as a\n              contributing factor for failure. The statistical models used to generate the ORL rely on\n              Call and Thrift Financial Report data and cannot detect deteriorating financial conditions\n              when banks or thrifts misstate their financial information. In addition, another institution\n              was extensively monitored through the LIDI program and also did appear on the ORL for\n              the period from 9/30/00 to 12/31/07. After excluding these eight institutions, the ORL\n              identified 7 of the 12 failures (58 percent) in the 4 quarters prior to the quarter the\n              institutions were downgraded.\n\n\n      Downgraded Institutions That Were Not Identified on ORLs. We obtained a list\n      from FDIC officials of 223 institutions rated 1 or 2 that had been downgraded by 2 or\n      more ratings from 2002 through 2007. When we compared these institutions to the ORLs\n      created during that time period, we found that 151 institutions (68 percent) did not appear\n      on an ORL in any of the 4 quarters prior to the multiple downgrade despite, in many\n      cases, significant financial deterioration. Our results indicate that actual failure and\n      downgrade information would be useful in testing the efficacy of the assumptions and\n      methodologies used in the offsite monitoring systems.\n\n\nDivision of Insurance and Research Analysis of SCOR\xe2\x80\x99s Performance\n\n      DSC provided us with a memorandum, dated February 4, 2008, summarizing a Division\n      of Insurance and Research (DIR) analysis of SCOR\xe2\x80\x99s performance from 1985 to the first\n      quarter in 2007. The memorandum states that SCOR\xe2\x80\x99s performance was evaluated in\n      terms of whether the model was able to correctly identify banks that were subsequently\n      downgraded. DIR\xe2\x80\x99s analysis showed that from 1998 through 2007, SCOR did not flag\n      2,011 (88 percent) of 2,281 institutions that were eventually downgraded to a 3 rating or\n      worse and that SCOR flagged 832 institutions of which 562 (68 percent) were not\n      downgraded in a subsequent examination. According to the memorandum, during\n      periods of economic expansion and growth:\n\n\n      5\n        Since 2001, the FDIC has resolved 32 institution failures with estimated costs to the Deposit Insurance\n      Fund (DIF) that could exceed $10 billion. We reviewed ViSION information on the failed institutions for\n      the 4 quarters before they were downgraded to a 3 rating or worse to determine whether the institutions had\n      appeared on an ORL. We were not able to assess 12 of the 32 institutions because those institutions were 3\n      rated or worse prior to 2000, and ORL information was not available in ViSION prior to 2000.\n\n                                                           9\n\x0c       . . . institutions are more likely to be downgraded for non-financial reasons (such as\n       incompetent management, fraud, etc.). In such periods, a financial conditions model such\n       as SCOR, which identifies institutions based purely on the financial ratios, is more likely\n       to miss the downgrades.\n\nDIR\xe2\x80\x99s analysis points to potential issues related to the accuracy of the SCOR model.\nDSC stated that it recognized the limitations of offsite monitoring models and does not\nrely solely on these models to evaluate the potential risks posed by financial institutions.\n\nIn 2005, an FDIC interdivisional team completed a project to review and evaluate the\nFDIC\xe2\x80\x99s offsite monitoring systems and tools for their effectiveness and efficiency and to\nidentify opportunities to improve the offsite monitoring process. The Offsite Monitoring\nProject\xe2\x80\x99s Summary Report and Recommendations stated that, as of June 2005, 283\n(60 percent) of 472 institutions with a composite rating of 3 or worse were not identified\non a single ORL between June 2001 and March 2005. This interdivisional effort\nrecommended that the selection criteria for the ORL incorporate trend analysis, other\nstatistical measures, and other factors (such as output from other models combined with\ncontributing or mitigating risk factors) to increase the overall predictive capability of the\nlist. The project also recommended that a core set of profiles be established for\ninstitutions that migrate to a composite 3 rating and that these profiles be statistically\ncompared to the output from other models. Additionally, the project report included\nrecommendations to improve the performance of SCOR, SCOR-Lag, GMS, and other\nFDIC offsite monitoring tools. However, we found no evidence that the\nrecommendations had been implemented.\n\nIn 2003, the FDIC published an article about SCOR, noting that its performance has\ndeclined particularly in good economic periods. The article noted:\n\n       The low level of accuracy might be expected inasmuch as SCOR relies completely on\n       financial ratios. Any such model will probably be more accurate when the reasons for\n       downgrades are financial, and less accurate when the reasons have to do with some\n       aspect of bank operations that does not affect the bank\xe2\x80\x99s financial ratios. For example,\n       examiners may downgrade a bank because they discover that it has significantly\n       weakened its underwriting standards or has weak internal controls\xe2\x80\x94but as long as the\n       more risky loans have not become past due, problems might not have made their way to\n       the financial statements. Consequently, one might reasonably expect that SCOR would\n       be less accurate over the last decade. The reliance on financial data has several other\n       effects on SCOR\xe2\x80\x99s performance. For one thing, it means that SCOR is completely\n       dependent on the accurate reporting of financial information.\n\nDSC officials we interviewed reiterated that SCOR relies on the financial information\nreported by institutions in Call Reports and TFRs. To the extent this information is\ninaccurate, the ORL may be impacted. According to DSC officials, DSC has begun\nlooking at this issue by assessing whether institutions that were downgraded and not\ndetected by SCOR eventually filed amended Call Reports. That review was still ongoing\nat the time of issuance of this report.\n\n\n\n                                               10\n\x0c      DSC also indicated that in 2008, it implemented ICARuS as an offsite risk monitoring\n      tool to identify institutions, between examinations, that may warrant increased\n      supervisory attention because of an increased susceptibility to fraud. ICARuS was\n      developed as a solution for identifying certain management-related characteristics,\n      financial indices, and trends that were common among the failures and near failures not\n      identified by SCOR.\n\n\nImplementation of a GAO Recommendation Related to Evaluating Offsite\nMonitoring Systems\n\n      GAO\xe2\x80\x99s February 2007 report noted that SCOR is informative but does not always\n      produce accurate results. GAO further noted that such a finding and the FDIC\xe2\x80\x99s limited\n      evaluation of its other offsite monitoring systems underscore the need for more regular\n      reviews. GAO recommended that, \xe2\x80\x9cto strengthen the oversight of its risk assessment\n      activities, the FDIC should develop policies and procedures clearly defining how it will\n      systematically evaluate and monitor its risk assessment activities and ensure that required\n      evaluations are conducted in a comprehensive and routine fashion.\xe2\x80\x9d\n\n      In response to the GAO report, the Corporation stated that an interdivisional committee\n      would perform an in-depth review of its risk assessment activities and evaluation\n      procedures. As part of that review, the FDIC would seek to improve its offsite\n      monitoring systems. The plan for this effort included the development of an Offsite\n      Models and Systems Validation Program. As part of the validation program, the FDIC\n      planned to conduct two types of reviews\xe2\x80\x94a logical and conceptual soundness review of\n      the offsite systems, performed over a 4-year period, and a backtesting (outcome analysis)\n      review to be performed annually as follows:\n\n         \xe2\x80\xa2   2008\xe2\x80\x94SCOR and SCOR-Lag\n         \xe2\x80\xa2   2009\xe2\x80\x94GMS and Consistent Grower\n         \xe2\x80\xa2   2010\xe2\x80\x94Real Estate Stress Test\n         \xe2\x80\xa2   2011\xe2\x80\x94MultiFlag, Young Institutions, and Quarterly Lending Alert\n\n      The backtesting reviews would include analyses of (1) trends in the number of\n      institutions flagged, (2) analyses of trends in the underlying model or system ratios, and\n      (3) a comparison of the model or system predictions to actual results.\n\n      In addition, DSC completed a study of the impact of fraud on financial institution failures\n      and near failures over an 8-year period. The study identified certain management-related\n      characteristics, financial indices, and trends that were common among the failures and\n      near failures. One of the study\xe2\x80\x99s primary recommendations was that DSC should develop\n      an offsite monitoring system that identifies the presence of these characteristics and\n      measures an institution\xe2\x80\x99s susceptibility to fraud. As a result, in May 2008, DSC\n      implemented ICARuS, which identifies institutions that may warrant increased\n      supervisory attention between examinations because of an increased susceptibility to\n\n\n\n                                                   11\n\x0c      fraud. According to DSC officials, ICARuS results, used in conjunction with SCOR\n      data, improve the overall offsite monitoring results.\n\n\nConclusion\n\n      Validation of the assumptions and methodology used in SCOR is needed on a priority\n      basis to determine if the performance of the system could be enhanced. In addition,\n      thorough evaluations of all DSC offsite monitoring systems that create the ORL are\n      needed on a regular basis to determine whether the assumptions and methodologies used\n      reasonably support determinations for including institutions on the ORL. Using actual\n      failure and downgrade information to test offsite monitoring systems and incorporating\n      the results into evaluations of those systems could lead to a more focused ORL and a\n      more effective and efficient offsite monitoring program. Scheduling all models-based\n      offsite monitoring systems for regular evaluations and establishing procedures to conduct\n      the evaluations would help to assure that management\xe2\x80\x99s objectives regarding offsite\n      monitoring are being achieved and financial risks to the DIF are being mitigated.\n\n\nRecommendations for Enhancing the Effectiveness of the ORL\n\n      We recommend that the Director, DSC:\n\n         (1) Validate the assumptions and methodology used in SCOR.\n\n         (2) Ensure that the regular evaluations of all offsite monitoring systems used to\n         create the ORL are performed as scheduled.\n\n         (3) Establish procedures to evaluate all models-based offsite monitoring systems. As\n         part of these procedures, assess recent failure and downgrade information to test the\n         efficacy of the logic and assumptions used in the offsite monitoring systems.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\n      On February 10, 2009, the Director, DSC, provided a written response to the draft of this\n      report. Management\xe2\x80\x99s response is presented in its entirety in Appendix 4. Management\n      concurred with our recommendations and stated it had completed the recommended\n      actions.\n\n      Regarding validation, DSC stated that DSC and DIR will validate the assumptions and\n      methodology used in SCOR by reviewing the offsite models that comprise SCOR on an\n      annual rotational basis. With respect to evaluations of all offsite monitoring systems,\n      DSC stated that DSC and DIR approved a regular validation schedule and has completed\n      the first of the scheduled annual reviews. Further, DSC stated that it has established\n      procedures to evaluate all models-based offsite monitoring systems. The procedures\n      include: analyzing trends, performing statistical analyses of model logic and\n\n                                                 12\n\x0cassumptions, and providing a summary of related research findings pertaining to the\nfinancial performance and CAMELS rating trends. The first of these evaluations was\ncompleted in December 2008, according to DSC.\n\nA summary of management\xe2\x80\x99s response to each recommendation is in Appendix 5. DSC\xe2\x80\x99s\nplanned actions are responsive to our recommendations and the recommendations are\nresolved. Management indicated that it had completed the recommended actions; we will\nclose the recommendations after reviewing those actions.\n\n\n\n\n                                          13\n\x0c                                                                                                  APPENDIX 1\n                             OBJECTIVE, SCOPE, AND METHODOLOGY\n\n\nObjective\n\n      The audit objective was to assess the FDIC\xe2\x80\x99s internal controls for performing offsite\n      monitoring of insured financial institutions. We focused the audit on the DSC controls\n      pertaining to offsite reviews of institutions on the FDIC\xe2\x80\x99s ORL, which identifies insured\n      1- and 2-rated institutions with potential problems. As part of our audit, we also\n      reviewed DSC\xe2\x80\x99s implementation of a recommendation by GAO, pertaining to\n      strengthening the FDIC\xe2\x80\x99s risk assessment activities through periodic evaluations and\n      monitoring, including offsite monitoring. We conducted this performance audit from\n      April 2008 through July 2008 in accordance with generally accepted government auditing\n      standards. Those standards require that we plan and perform the audit to obtain\n      sufficient, appropriate evidence to provide a reasonable basis for our findings and\n      conclusions based on our audit objectives. We believe that the evidence obtained\n      provides a reasonable basis for our findings and conclusions based on our audit objective.\n\n\nScope and Methodology\n\n      The FDIC insures deposits at approximately 8,500 institutions and supervises about 5,200\n      institutions as shown in Table 3 below.\n\n       Table 3: Number of Insured and Supervised Institutions, by Regulator\n                   Number of        Total            Domestic         Estimated Insured\n      Supervisor   Institutions     Assets*          Deposits*        Deposits*\n      FDIC         5,197                $ 2,180,697       $1,582,951          $1,091,571\n      OCC          1,632                  7,782,387        3,590,744           1,995,866\n      FRB            878                  1,519,012          845,494             502,812\n      OTS            826                  1,556,670          892,592             696,835\n      Totals       8,533               $13,038,765        $6,911,780          $4,287,084\n          Source: The FDIC Quarterly Banking Profile, dated December 31, 2007.\n            * Dollars in millions.\n\n      During this audit, we selected a judgmental sample 6 of 60 of 577 institutions from the\n      December 31, 2007 ORL to determine whether DSC had completed offsite reviews for\n      each of the sampled institutions and developed supervisory strategies in accordance with\n      DSC policies and procedures. We also evaluated the FDIC\xe2\x80\x99s implementation of GAO\xe2\x80\x99s\n      recommendation to strengthen its risk assessment activities, as it relates to offsite\n      monitoring.\n\n      For the sampled institutions, we:\n\n                     o Reviewed the ORL data.\n\n\n      6\n        The results of a non-statistical sample cannot be projected to the intended population by standard\n      statistical methods.\n\n                                                           14\n\x0c                                                                                     APPENDIX 1\n\n\n                     o   Ensured that offsite reviews were completed in accordance with the\n                         Procedures Manual instructions for offsite reviews.\n\n      Additionally, we:\n\n                     o   Reviewed memoranda and other documents related to the planning and\n                         performance of the offsite monitoring program.\n\n                     o   Discussed other agencies\xe2\x80\x99 offsite monitoring programs with DSC.\n\n                     o   Compared institutions that either failed or were downgraded by two or\n                         more ratings to those institutions listed on the ORLs during the same\n                         periods.\n\n\nInternal Control\n\n      The audit focused on the controls related to offsite monitoring and reviews of institutions\n      on the ORL. These controls included policies and procedures contained in the\n      Procedures Manual, which describes steps the FDIC should take in performing offsite\n      reviews.\n\n\nReliance on Computer-processed Information\n\n      For purposes of the audit, we used computer-processed information provided in the\n      ViSION system to support our significant findings, conclusions, and recommendations.\n      To assess the reliability of this information, we tested the process for a sample of 60\n      institutions. The testing of computer-processed information was limited to our\n      comparison of specific data elements, such as SCOR ratings, risk flags, asset size, level\n      of risk, risk trend, and relevant follow-up codes 7 for the 60 sampled financial institutions\n      on the ORL. Additionally, we used the ViSION system to review examiner and\n      supervisory comments from the other regulators and determine the timeliness of reviews\n      by the Case Managers and Field Supervisors and of ARD approvals of the supervisory\n      strategies.\n\n\nPerformance Measurement\n\n      We reviewed FDIC performance plans and strategic plans to determine whether the\n      Corporation has established quantifiable performance measures related to its efforts to\n      identify risk in institutions through the ORL. The Corporation has not established\n      performance measures related to the ORL.\n\n\n\n      7\n          The follow-up codes are None, Continued Monitoring, or Onsite Activity.\n\n                                                           15\n\x0c                                                                                   APPENDIX 1\n\n\nCompliance With Laws and Regulations\n\n      We determined that there were no applicable laws and regulations directly related to\n      offsite monitoring. In addition, we assessed the risk of fraud and abuse related to the\n      audit objective in the course of evaluating audit evidence.\n\n\nPrior Coverage\n\n      In September 2002, we issued Audit Report No. 02-033 entitled, Statistical CAMELS\n      Offsite Rating Review Program for FDIC-Supervised Banks. The audit objectives were\n      to determine the effectiveness of SCOR as an early warning system and assess actions\n      taken by DSC. The audit concluded that the effectiveness of the SCOR review program\n      in detecting potential deterioration in the financial condition of insured depository\n      institutions was limited because (1) a time lag of up to 4\xc2\xbd months existed between the\n      date of the Call Report and the subsequent offsite review; (2) SCOR depends on the\n      accuracy and integrity of Call Report information to serve as an early warning between\n      examinations; (3) SCOR does not assess institution management quality and internal\n      control or capture risks from non-financial factors such as market conditions, fraud, or\n      insider abuse; and (4) DSC Case Managers rarely initiate follow-up action to address\n      probable downgrades identified by SCOR other than deferring to a past, present, or future\n      examination.\n\n      In February 2007, GAO issued a report entitled, Federal Deposit Insurance Corporation:\n      Human Capital and Risk Assessment Programs Appear Sound, but Evaluations of Their\n      Effectiveness Should Be Improved, Report No. GAO-07-255. GAO noted that SCOR is\n      informative but does not always produce accurate results. GAO further noted that such a\n      finding and the FDIC\xe2\x80\x99s limited evaluation of its other offsite monitoring systems\n      underscore the need for more regular reviews. GAO recommended that, to strengthen the\n      oversight of its risk assessment activities, the FDIC should develop policies and\n      procedures clearly defining how it will systematically evaluate and monitor its risk\n      assessment activities and ensure that required evaluations are conducted in a\n      comprehensive and routine fashion\n\n\n\n\n                                                  16\n\x0c                                                                                       APPENDIX 2\n                     THE FDIC\xe2\x80\x99S OFFSITE MONITORING TOOLS\n\n\n    According to DSC, in addition to the ORL, the FDIC has established several other\n    offsite monitoring tools that are used to monitor risks within the industry and to\n    identify potential emerging issues that may require additional supervisory follow-up.\n    The FDIC provided brief descriptions of these tools, as follows:\n\n\n    \xe2\x80\xa2   Large Insured Depository Institution Program \xe2\x80\x93 Quarterly offsite review\n        program for institutions rated 3, 4, or 5 and with more than $3 billion in assets and\n        all institutions with more than $10 billion in assets, including non-FDIC regulated\n        institutions.\n\n\n    \xe2\x80\xa2   Internal Control Assessment Rating System and RAC Dashboard \xe2\x80\x93 In early\n        2006, an interdivisional executive sponsor team using resources from DSC and\n        DIR was created to oversee efforts to enhance the FDIC\xe2\x80\x99s offsite monitoring\n        programs. The team developed ICARuS, an offsite monitoring system designed\n        to identify institutions that may be more susceptible to fraud, and the RAC\n        Dashboard. The RAC Dashboard is an information management tool to organize\n        and synthesize key data about external risks to the banking industry. The\n        components of the Dashboard reflect six major sources of risk: credit, economic,\n        financial, large bank, market, and supervisory. The Dashboard consists of a set of\n        risk indices that reflect underlying conditions in each of the risk areas. The index\n        calculations rely on the quantitative as well as the subjective analysis of subject\n        matter experts. Combining all relevant information into this simple risk index\n        measure allows for consistent and meaningful interpretation both within and\n        across business units. The Dashboard is an interdivisional project of the RAC; it\n        is not intended to supplant the expertise of individual FDIC business units, but\n        rather is meant to engage different divisions in a joint interpretation of risk data\n        for the FDIC\xe2\x80\x99s National Risk Committee (NRC) 8 and other organizations within\n        the Corporation.\n\n\n    \xe2\x80\xa2   Regional Watch Lists \xe2\x80\x93 Include institutions that are tracked and reported on by\n        the regions in the Automated Regional Information System. The regional offices\n        forward the watch lists to the Washington Office in the form of monthly status\n        reports and include institutions listed on the Regional Bank Secrecy Act watch\n        lists and Regional QLAs, which include institutions with significant exposures to\n        subprime and nontraditional mortgage products.\n\n\n\n\n8\n The NRC identifies and evaluates the most significant external business risks facing the FDIC and the\nbanking industry. Members of the committee include the Chief Operating Office; Chief Financial Officer;\nDeputy to the Chairman; Special Advisor to the Chairman; Directors for DSC, DIR, and the Division of\nResolutions and Receiverships; and the General Counsel.\n\n                                                  17\n\x0c                                                                        APPENDIX 2\n\n\n\xe2\x80\xa2   Regional Offsite Monitoring and Supervisory Strategies \xe2\x80\x93 Various strategies\n    are continually developed by the regional offices for areas of concern germane to\n    each area of the country, including areas experiencing economic downturns such\n    as Puerto Rico; states affected by deterioration in the auto industry; areas with\n    heightened commercial real estate concentrations; etc.\n\n\n\xe2\x80\xa2   Regional Risk Committees \xe2\x80\x93 Meet regularly to discuss current and emerging\n    risks and to rank them in order of priority. These risks are monitored on an\n    interdivisional basis, and material concerns are conveyed to the FDIC\xe2\x80\x99s NRC.\n\n\n\xe2\x80\xa2   Quarterly Supervisory Risk Profile \xe2\x80\x93 Highlights DSC\xe2\x80\x99s monitoring of the\n    current conditions of banks, including emerging risks (and how they are\n    prioritized), and the division\xe2\x80\x99s supervisory response.\n\n\n\n\n                                        18\n\x0c                                                     APPENDIX 3\n       OIG ANALYSIS OF WHETHER FAILED INSTITUTIONS WERE ON\n                     THE ORL PRIOR TO FAILURE\n\n           Institution            Date of      Latest Date        Institution     No. of    Estimated Loss to\n                                  Failure      Institution       on the ORL      Quarters     the DIF as of\n                                               Was Rated         4 Quarters       on the      July 31, 2008\n                                                 1 or 2            Prior to       ORL\n                                                                 Being Rated\n                                                                    1 or 2\nFirst Heritage Bank, N.A.a        7/25/2008        6/26/2008                No       None         $819,843,000\nFirst National Bank of Nevada     7/25/2008       10/15/2007                No       None          $41,773,000\nIndyMac Bank, F.S.B.b             7/11/2008        1/25/2008                No       None          $8.9 Billion\nFirst Integrity Bank, N.A.        5/30/2008         7/1/2003               Yes          2           $2,346,000\nANB Financial, N.A.                5/9/2008        2/23/2007               Yes          4         $214,000,000\nHume Bank                          3/7/2008        7/16/2007                No       None           $2,618,000\nDouglass National Bank            1/25/2008       11/22/2005                No       None           $6,000,000\nMiami Valley Bank                 10/4/2007         4/2/2007                No       None          $18,700,000\nNetBank                           9/28/2007         1/9/2006               Yes          2         $150,000,000\nMetropolitan Savings Bank          2/2/2007        1/22/2007                No       None           $8,905,989\nBank of Ephraim                   6/25/2004         4/7/2003               Yes          2           $2,998,017\nGuaranty National Bank of         3/12/2004        7/23/2001                No       None                    $0\nTallahassee\nDollar Savings Bank               2/14/2004        2/14/2004              No         None                   $0\nPulaski Savings Bank             11/14/2003       11/14/2003              No         None             $679,452\nThe First National Bank of         5/9/2003         5/9/2003              Yes           1          $12,776,628\nBlanchardville\nThe Farmers Bank & Trust of      12/17/2002       10/15/2002               No        None          $12,204,810\nCheneyville\nAmTrade International Bank of     9/30/2002          5/13/2002            Yes           1           $1,325,766\nGeorgia\nUniversal F.S.B.                  6/27/2002          6/27/2002            No         None             $274,452\nNextBank, N.A.                     2/7/2002          8/20/2001            Yes           4         $114,700,478\nOakwood Deposit Bank               2/1/2002           2/1/2002            No         None          $63,802,661\n  Source: The ViSION system and FDIC press releases.\n a\n   N.A. \xe2\x80\x93 National Association.\n b\n   F.S.B. \xe2\x80\x93 Federal Savings Bank.\n\n\n\n\n                                                19\n\x0c                       APPENDIX 4\n\nCORPORATION COMMENTS\n\x0c     APPENDIX 4\n\n\n\n\n21\n\x0c     APPENDIX 4\n\n\n\n\n22\n\x0c     APPENDIX 4\n\n\n\n\n23\n\x0c     APPENDIX 4\n\n\n\n\n24\n\x0c                                                      APPENDIX 5\n                 MANAGEMENT RESPONSE TO RECOMMENDATIONS\n\n\nThis table presents the management response on the recommendations in our report and\nthe status of the recommendations as of the date of report issuance.\n\n      Rec.       Corrective Action: Taken or          Monetary       Resolved:b       Open or\n      No.                  Planneda                   Benefits       Yes or No        Closedc\n       1        DSC and DIR will validate the           $0              Yes            Open\n                assumptions and methodology\n                used in SCOR by reviewing the\n                offsite models that comprise\n                SCOR on an annual rotational\n                basis.\n\n                DSC stated that the SCOR\n                validation was completed in\n                December 2008.\n\n        2       DSC and DIT have (1) approved             $0             Yes            Open\n                a regular validation schedule\n                and (2) completed the first of the\n                scheduled annual reviews.\n\n        3       DSC has established the                   $0             Yes            Open\n                following procedures to evaluate\n                all models-based offsite\n                monitoring systems: analyzing\n                trends, performing statistical\n                analyses of model logic and\n                assumptions, and providing a\n                summary of related research\n                findings pertaining to the\n                financial performance and\n                CAMELS rating trends.\n\na\n In its written response to a draft of this report, DSC management stated that it concurred with the\nrecommendations and had completed the recommended actions. We will close the recommendations after\nreviewing those actions.\nb\n    Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned, ongoing, and completed\n                    corrective action is consistent with the recommendation.\n               (2) Management does not concur with the recommendation, but alternative action meets the\n                   intent of the recommendation.\n               (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0)\n                   amount. Monetary benefits are considered resolved as long as management provides an\n                   amount.\nc\n Once the OIG determines that the agreed-upon corrective actions have been completed and are responsive\nto the recommendations, the recommendations can be closed.\n\n\n\n\n                                                     25\n\x0c                                                                        APPENDIX 6\n\n               ACRONYMS USED IN THE REPORT\n\n\nARD      Assistant Regional Director\nCAMELS   Capital, Asset Quality, Management, Earnings, Liquidity, and Sensitivity\n           to Market Risk\nDIF      Deposit Insurance Fund\nDIR      Division of Insurance and Research\nDSC      Division of Supervision and Consumer Protection\nFDIC     Federal Deposit Insurance Corporation\nFRB      Board of Governors of the Federal Reserve System\nGAO      Government Accountability Office\nGMS      Growth Monitoring System\nICARuS   Internal Control Assessment Rating System\nLIDI     Large Insured Depository Institution\nNRC      National Risk Committee\nOCC      Office of the Comptroller of the Currency\nOIG      Office of Inspector General\nORL      Offsite Review List\nOTS      Office of Thrift Supervision\nQLA      Quarterly Lending Alert\nRAC      Risk Analysis Center\nREST     Real Estate Stress Test\nSCOR     Statistical CAMELS Offsite Rating\nTFR      Thrift Financial Report\nUFIRS    Uniform Financial Institutions Rating System\nViSION   Virtual Supervisory Information on the Net\n\n\n\n\n                                    26\n\x0c'